Analysis
-
max time kernel
127s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
25-06-2022 05:55
Static task
static1
Behavioral task
behavioral1
Sample
c58178687435a7997d8de3fcd8a76c1a4447beaabb4977882e4bc39ea27cc5a3.exe
Resource
win7-20220414-en
General
-
Target
c58178687435a7997d8de3fcd8a76c1a4447beaabb4977882e4bc39ea27cc5a3.exe
-
Size
2.7MB
-
MD5
c37a90a51d440a83a7096423c8e04809
-
SHA1
7094470281801383ed8991407359e339e58cf6f3
-
SHA256
c58178687435a7997d8de3fcd8a76c1a4447beaabb4977882e4bc39ea27cc5a3
-
SHA512
70a1b9181a3de343d541ecfc73b76f5e7229653a2c15e82d985e558786ce3a5bb9804dfcc34a96b11d3f49dadc015c005f9adc62fda0aec957e87dc1e75d21b2
Malware Config
Extracted
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\1\Information.txt
qulab
http://teleg.run/QulabZ
Signatures
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x000900000001230c-81.dat acprotect behavioral1/files/0x000900000001230c-82.dat acprotect -
Executes dropped EXE 1 IoCs
pid Process 1920 NAPHLPR.module.exe -
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 876 attrib.exe -
resource yara_rule behavioral1/files/0x000900000001230c-81.dat upx behavioral1/files/0x000900000001230c-82.dat upx behavioral1/files/0x000a00000001233f-84.dat upx behavioral1/files/0x000a00000001233f-85.dat upx behavioral1/files/0x000a00000001233f-87.dat upx behavioral1/memory/1920-90-0x0000000000400000-0x000000000047D000-memory.dmp upx -
Loads dropped DLL 4 IoCs
pid Process 1660 NAPHLPR.exe 1660 NAPHLPR.exe 1660 NAPHLPR.exe 1660 NAPHLPR.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 ipapi.co 7 ipapi.co -
AutoIT Executable 14 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/1556-57-0x0000000000710000-0x00000000008E5000-memory.dmp autoit_exe behavioral1/memory/1556-64-0x000000000073800A-mapping.dmp autoit_exe behavioral1/memory/1556-66-0x0000000000710000-0x00000000008E5000-memory.dmp autoit_exe behavioral1/memory/1660-71-0x0000000000730000-0x0000000000905000-memory.dmp autoit_exe behavioral1/memory/1660-78-0x000000000075800A-mapping.dmp autoit_exe behavioral1/memory/1660-80-0x0000000000730000-0x0000000000905000-memory.dmp autoit_exe behavioral1/memory/1660-83-0x0000000061E00000-0x0000000061ED2000-memory.dmp autoit_exe behavioral1/memory/1660-95-0x0000000061E00000-0x0000000061ED2000-memory.dmp autoit_exe behavioral1/memory/1420-101-0x0000000000270000-0x0000000000445000-memory.dmp autoit_exe behavioral1/memory/1420-108-0x000000000029800A-mapping.dmp autoit_exe behavioral1/memory/1420-110-0x0000000000270000-0x0000000000445000-memory.dmp autoit_exe behavioral1/memory/676-115-0x0000000000670000-0x0000000000845000-memory.dmp autoit_exe behavioral1/memory/676-122-0x000000000069800A-mapping.dmp autoit_exe behavioral1/memory/676-124-0x0000000000670000-0x0000000000845000-memory.dmp autoit_exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ NAPHLPR.exe File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ NAPHLPR.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1596 set thread context of 1556 1596 c58178687435a7997d8de3fcd8a76c1a4447beaabb4977882e4bc39ea27cc5a3.exe 27 PID 1260 set thread context of 1660 1260 NAPHLPR.exe 29 PID 1004 set thread context of 1420 1004 NAPHLPR.exe 39 PID 1368 set thread context of 676 1368 NAPHLPR.exe 41 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NTFS ADS 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ c58178687435a7997d8de3fcd8a76c1a4447beaabb4977882e4bc39ea27cc5a3.exe File opened for modification C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\winmgmts:\localhost\ NAPHLPR.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1660 NAPHLPR.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1556 c58178687435a7997d8de3fcd8a76c1a4447beaabb4977882e4bc39ea27cc5a3.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeRestorePrivilege 1920 NAPHLPR.module.exe Token: 35 1920 NAPHLPR.module.exe Token: SeSecurityPrivilege 1920 NAPHLPR.module.exe Token: SeSecurityPrivilege 1920 NAPHLPR.module.exe -
Suspicious use of FindShellTrayWindow 12 IoCs
pid Process 1596 c58178687435a7997d8de3fcd8a76c1a4447beaabb4977882e4bc39ea27cc5a3.exe 1596 c58178687435a7997d8de3fcd8a76c1a4447beaabb4977882e4bc39ea27cc5a3.exe 1596 c58178687435a7997d8de3fcd8a76c1a4447beaabb4977882e4bc39ea27cc5a3.exe 1260 NAPHLPR.exe 1260 NAPHLPR.exe 1260 NAPHLPR.exe 1004 NAPHLPR.exe 1004 NAPHLPR.exe 1004 NAPHLPR.exe 1368 NAPHLPR.exe 1368 NAPHLPR.exe 1368 NAPHLPR.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 1596 c58178687435a7997d8de3fcd8a76c1a4447beaabb4977882e4bc39ea27cc5a3.exe 1596 c58178687435a7997d8de3fcd8a76c1a4447beaabb4977882e4bc39ea27cc5a3.exe 1596 c58178687435a7997d8de3fcd8a76c1a4447beaabb4977882e4bc39ea27cc5a3.exe 1260 NAPHLPR.exe 1260 NAPHLPR.exe 1260 NAPHLPR.exe 1004 NAPHLPR.exe 1004 NAPHLPR.exe 1004 NAPHLPR.exe 1368 NAPHLPR.exe 1368 NAPHLPR.exe 1368 NAPHLPR.exe -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 1596 wrote to memory of 1556 1596 c58178687435a7997d8de3fcd8a76c1a4447beaabb4977882e4bc39ea27cc5a3.exe 27 PID 1596 wrote to memory of 1556 1596 c58178687435a7997d8de3fcd8a76c1a4447beaabb4977882e4bc39ea27cc5a3.exe 27 PID 1596 wrote to memory of 1556 1596 c58178687435a7997d8de3fcd8a76c1a4447beaabb4977882e4bc39ea27cc5a3.exe 27 PID 1596 wrote to memory of 1556 1596 c58178687435a7997d8de3fcd8a76c1a4447beaabb4977882e4bc39ea27cc5a3.exe 27 PID 1596 wrote to memory of 1556 1596 c58178687435a7997d8de3fcd8a76c1a4447beaabb4977882e4bc39ea27cc5a3.exe 27 PID 1596 wrote to memory of 1556 1596 c58178687435a7997d8de3fcd8a76c1a4447beaabb4977882e4bc39ea27cc5a3.exe 27 PID 1556 wrote to memory of 1260 1556 c58178687435a7997d8de3fcd8a76c1a4447beaabb4977882e4bc39ea27cc5a3.exe 28 PID 1556 wrote to memory of 1260 1556 c58178687435a7997d8de3fcd8a76c1a4447beaabb4977882e4bc39ea27cc5a3.exe 28 PID 1556 wrote to memory of 1260 1556 c58178687435a7997d8de3fcd8a76c1a4447beaabb4977882e4bc39ea27cc5a3.exe 28 PID 1556 wrote to memory of 1260 1556 c58178687435a7997d8de3fcd8a76c1a4447beaabb4977882e4bc39ea27cc5a3.exe 28 PID 1260 wrote to memory of 1660 1260 NAPHLPR.exe 29 PID 1260 wrote to memory of 1660 1260 NAPHLPR.exe 29 PID 1260 wrote to memory of 1660 1260 NAPHLPR.exe 29 PID 1260 wrote to memory of 1660 1260 NAPHLPR.exe 29 PID 1260 wrote to memory of 1660 1260 NAPHLPR.exe 29 PID 1260 wrote to memory of 1660 1260 NAPHLPR.exe 29 PID 1660 wrote to memory of 1920 1660 NAPHLPR.exe 33 PID 1660 wrote to memory of 1920 1660 NAPHLPR.exe 33 PID 1660 wrote to memory of 1920 1660 NAPHLPR.exe 33 PID 1660 wrote to memory of 1920 1660 NAPHLPR.exe 33 PID 1660 wrote to memory of 876 1660 NAPHLPR.exe 35 PID 1660 wrote to memory of 876 1660 NAPHLPR.exe 35 PID 1660 wrote to memory of 876 1660 NAPHLPR.exe 35 PID 1660 wrote to memory of 876 1660 NAPHLPR.exe 35 PID 1836 wrote to memory of 1004 1836 taskeng.exe 38 PID 1836 wrote to memory of 1004 1836 taskeng.exe 38 PID 1836 wrote to memory of 1004 1836 taskeng.exe 38 PID 1836 wrote to memory of 1004 1836 taskeng.exe 38 PID 1004 wrote to memory of 1420 1004 NAPHLPR.exe 39 PID 1004 wrote to memory of 1420 1004 NAPHLPR.exe 39 PID 1004 wrote to memory of 1420 1004 NAPHLPR.exe 39 PID 1004 wrote to memory of 1420 1004 NAPHLPR.exe 39 PID 1004 wrote to memory of 1420 1004 NAPHLPR.exe 39 PID 1004 wrote to memory of 1420 1004 NAPHLPR.exe 39 PID 1836 wrote to memory of 1368 1836 taskeng.exe 40 PID 1836 wrote to memory of 1368 1836 taskeng.exe 40 PID 1836 wrote to memory of 1368 1836 taskeng.exe 40 PID 1836 wrote to memory of 1368 1836 taskeng.exe 40 PID 1368 wrote to memory of 676 1368 NAPHLPR.exe 41 PID 1368 wrote to memory of 676 1368 NAPHLPR.exe 41 PID 1368 wrote to memory of 676 1368 NAPHLPR.exe 41 PID 1368 wrote to memory of 676 1368 NAPHLPR.exe 41 PID 1368 wrote to memory of 676 1368 NAPHLPR.exe 41 PID 1368 wrote to memory of 676 1368 NAPHLPR.exe 41 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 876 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c58178687435a7997d8de3fcd8a76c1a4447beaabb4977882e4bc39ea27cc5a3.exe"C:\Users\Admin\AppData\Local\Temp\c58178687435a7997d8de3fcd8a76c1a4447beaabb4977882e4bc39ea27cc5a3.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Users\Admin\AppData\Local\Temp\c58178687435a7997d8de3fcd8a76c1a4447beaabb4977882e4bc39ea27cc5a3.exe"C:\Users\Admin\AppData\Local\Temp\c58178687435a7997d8de3fcd8a76c1a4447beaabb4977882e4bc39ea27cc5a3.exe"2⤵
- NTFS ADS
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe3⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe"C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe"4⤵
- Loads dropped DLL
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\ENU_687FE975325E824E9D41.7z" "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\1\*"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1920
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources"5⤵
- Sets file to hidden
- Views/modifies file attributes
PID:876
-
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {693C149F-AFA5-47F5-B336-7FC08E789F6B} S-1-5-21-1819626980-2277161760-1023733287-1000:TBHNEBSE\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe2⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe"C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe"3⤵
- Drops file in System32 directory
PID:1420
-
-
-
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exeC:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe2⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe"C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe"3⤵
- Drops file in System32 directory
PID:676
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD53db71bacd6dcfccc7e390b9d8d3f3af8
SHA110f12deb7a4f2bf3f0106c18e9592c74cdde21f6
SHA256cf73d85afe7487fa84c636f7a6be38c0521ce7156f6c32868238a06dbf4c252a
SHA51204c49ee1b117c54ff2f77edb88a4525d7f91445abf9c407e8e048054ccf5d1b3c76803b41ff88743709c70f58fb863a81bb2907a8327f4b366bd01b4ee7d74bf
-
Filesize
45KB
MD56a65021d5394f88d6edc53e21c022db6
SHA13e4ec0a97d669bead1220f31ae486638de55ce51
SHA256989f413d553993734a8a74a0b31a946f1a0d7b2ff042d0c2447d242f778b10cf
SHA512818071114bbb55eda18c68926e5940deb24297983dee5847abb431e6dc62125e086c83f65067dae643245d30ccf2a9a39d56085285ca6e45bdaf01ca4b6a0c5d
-
Filesize
197KB
MD5946285055913d457fda78a4484266e96
SHA1668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA25623ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA51230a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95
-
Filesize
197KB
MD5946285055913d457fda78a4484266e96
SHA1668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA25623ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA51230a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95
-
Filesize
197KB
MD5946285055913d457fda78a4484266e96
SHA1668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA25623ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA51230a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95
-
\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.sqlite3.module.dll
Filesize360KB
MD58c127ce55bfbb55eb9a843c693c9f240
SHA175c462c935a7ff2c90030c684440d61d48bb1858
SHA2564f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028
SHA512d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02
-
\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.sqlite3.module.dll
Filesize360KB
MD58c127ce55bfbb55eb9a843c693c9f240
SHA175c462c935a7ff2c90030c684440d61d48bb1858
SHA2564f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028
SHA512d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02